[Owasp-leaders] Password complexity guidance

Matt Tesauro matt.tesauro at owasp.org
Wed Dec 11 19:23:46 UTC 2013


We should probably link to the OWASP Passfault project as well - once
consensus is reached.

Site: http://www.passfault.com/

Project Page: https://www.owasp.org/index.php/OWASP_Passfault

"When setting a password, Passfault examines the password, looking for
common patterns. Passfault than measures the strength of the patterns and
combinations of patterns. The end result is a more academic and accurate
measurement of password strength."

I generally agree that passphrases are better that short stings of
gibberish.

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Wed, Dec 11, 2013 at 12:43 PM, Michael Coates
<michael.coates at owasp.org>wrote:

> We have two references (and probably more - please send if you see more)
> for password complexity.
>
> https://www.owasp.org/index.php/Password_length_%26_complexity
>
> https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls
>
> First - I agree passwords alone need to die. It's not sufficient. But that
> said, passwords will be around until the next solution is ready. So, in the
> interim we should provide the best guidance on selecting good passwords.
>
>
> I no longer agree with the approach of forcing users to select gibberish
> passwords. I believe that passphrases are much better. They achieve great
> entropy and are far easier for users to remember. My initial position is we
> should shift our guidance away from the old complex recommendation to a
> passphrase recommendation.
>
> Agree? Disagree? Interested in your thoughts.
>
> Whatever we do select, we should make sure we cross link so we don't have
> multiple sources of information that could be out of date.
>
>
>
>
> --
> Michael Coates
> @_mwc
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131211/99d73529/attachment-0001.html>


More information about the OWASP-Leaders mailing list